It's very easy to exploit - basically, some systems don't like being pinged with a packet greater than 65536 bytes (as opposed to the default 64 bytes). This bug is not limited to Unix, but is popping up on Macs, Netware, Printers, Routers... the list goes on. Patches are coming out extremely fast - the award did go to the Linux community for getting a patch out within three hours (well, 2 hours 35 minutes 10 seconds if you must know), but Bill Webb from Telebit assures me that the Netblazer patch was out within two! OK, OK, you can share the prize money... :-)
An IP datagram of 65536 bytes is illegal, but possible to create owing to the way the packet is fragmented (broken into chunks for transmission). When the fragments are reassembled at the other end into a complete packet, it overflows the buffer on some systems, causing (variously) a reboot, panic, hang, and sometimes even having no effect at all...
Most implementations of ping won't allow an invalid datagram like this to be sent. Among the exceptions are Windows '95 and NT, although they are certainly not the only ones...
Background Information on ICMP ECHO ("ping"):
IP packets as per RFC-791 can be up to 65,535 (2^16-1) octets long, which includes the header length (typically 20 octets if no IP options are specified). Packets that are bigger than the maximum size the underlyling layer can handle (the MTU) are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500.
An ICMP ECHO request "lives" inside the IP packet, consisting of eight octets of ICMP header information (RFC-792) followed by the number of data octets in the "ping" request. Hence the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 octets.
What causes my machine to crash from this?
Note that it is possible to send an illegal echo packet with more than 65507 octets of data due to the way the fragmentation is performed. The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly. Thus on the last fragment, it is possible to combine a valid offset with a suitable fragment size such that (offset + size) > 65535. Since typical machines don't process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of 16 bit internal variables, which can lead to system crashes, reboots, kernel dumps and the like.
Bottom line is that blocking ping at the firewall is a temporary fix only. The only solution is to secure the kernel against overflow when reconstructing IP fragments. (To the best of my knowledge, all of the patches currently available fix the problem). So don't think you're safe just because you've blocked ping. Damage could be done through NFS, telnet, http... in short, any port your machine listens on is a target (and maybe even those you don't listen on... anyone?)
ping -l 65510 your.host.ip.address
The message on the '95 box will be "Request Timed Out". This means that the ping wasn't answered, either because the machine is ignoring you (and rightly so if you're going to send it invalid packets), or because it's dead. It's that simple...
By blocking ping, you prevent people from pinging you at all. This could possibly break some things that rely on ping - I believe that DEC ObjectBroker uses ping to confirm a connection is still up. Other packages may go too.
A better solution than blocking all pings is to block only fragmented pings. This will allow your common-or-garden 64 byte ping through on almost all systems, while blocking any bigger than the MTU size of your link. (This varies, but about 1k is a good bet).
| Operating system | Version | Symptoms | Comments |
|---|---|---|---|
| Solaris (x86) | 2.4 | Reboot | Patches are available for 2.5 and 2.5.1, but there are no patches for 2.4. |
| Minix | 1.7.4, v2.0 and probably others | Crash | No fix yet |
| HP3000 MPE/iX | 4.0, 5.0, 5.5 | System abort | The exact message was "System abort 3890 from subsys 201". |
| Convex SPP-UX | All versions | Crash | No fix yet, but Convex are working on a patch. |
| AOS | ? | ? | This is suspected to be vulnerable, based on its BSD 4.3 heritage. However, only one person has been able to crash it yet, using a 32768 byte packet |
| KA9Q OS | ? | Crash | No fix yet |
| NEXTSTEP | various | Platform dependant | Next have tested this, follow the link for more info. The vulnerability is to a 32768 byte packet |
| Apple Mac | MacOs 7.x.x | Crash | See the Mac page for details |
| Windows 3.11 with Trumpet Winsock | ? | Mixed reports | One person has had no problems, another two get network errors and lose the network connection - the machine had to be rebooted to restore it |
| Windows 3.11 with FTP software PCTCP 4.0, Chameleon NFS 5.4, Digital Pathworks stack 6.0.034 and LINK TCP stack | - | Hangs | No fix... |
| MSDOS with Lan Workplace | ? | Crash | No fix yet |
| Novell Netware | 3.x | Mixed results | Ranging from crash to no effect. 3.11 with TCPIP.NLM v1.01 hangs the IP stack (IPX/SPX stack is OK), while 3.12 with TCPIP.NLM v2.02 rev 9 is unaffected. |
| SCO Open Desktop, Internet FastStart, SCO Unix SysV/386 | ? | Vulnerable | SCO have found this vulnerable. Again, see the CERT advisory. The problem is network card dependant - at least the NE2000 and the SMC range are vulnerable |
| Windows '95 | All of 'em | Crash | Once again, the same problem as NT 3.51 and NT 4.0. '95 can be killed quite effectively by sending a large ping (not receiving). Try the instructions Microsoft have given for NT 3.51, and remember, your mileage may vary - a lot of people have no problems |
| Operating system | Version | Symptoms | Comments |
|---|---|---|---|
| AIX | 3 and 4 | Operating system dump. | Patch Available! The patch for 3.2.5 has been around for a while, so it may already be applied to your system. |
| Linux | <= 2.0.23 | Spontaneous reboot or kernel panic | Patch available!, and supplied here. Kernel 2.0.24 is out, which fixes this. Upgrade now! |
| Linux | 1.2.13 | Reboot, Hang or No effect | Patch available!, although this one hasn't been tested. Supplied here |
| DEC Unix/OSF1 | 2.0 and above | Kernel Panic | Patch available! and supplied here |
| OpenVMS for AXP | various | Mixed reports | Patch really is available!, as of 15th November (so I've been told). Follow the yellow brick link |
| OpenVMS for VAX | v6.2, UCX v4.0 and others | Reboot | It turns out the the one person who managed to crash this was right... OpenVMS for VAX is vulnerable, as DEC have found out. I haven't got any information on this, other than that the vulnerablity is presumably the same as for DEC Ultrix, and that more information can be gained from the CERT Advisory or the Ultrix page linked in column one |
| HP-UX | 9.0 to 10.20 | Crash, Reboot, Hang... | Patch available!, follow the link... (it works too...). See also CIAC F-04 for the same information, just officially |
| Windows NT | 3.5.1 | Mixed results | The latest word is Microsoft have acknowledged the problem and have released a patch (it seems that sending a bad ping can make NT do some funny things!). Some info just in is that if you do as M*soft says (ping -l 65510 -s 1 ip.address) you can crash NT 3.51. So maybe it is vulnerable after all. |
| Galacticomm Worldgroup BBS/Terminal Server | 1.0, 2.0 | General Protection Fault | Yup, this has been fixed too. Patches available for v1 and v2, with version v3 being ping proof. Follow the ol' hyperlink for the scoop. Note that this problem only affects the Galacticomm TCP/IP stack - the Vircom MajorTCP/IP stack is not vulnerable |
| MkLinux | ? | Crash | There is a guide available on upgrading your kernel to 2.0.27, which will fix the problem |
| Unisys A series | TCP/IP pre 32.4 release | Crash | Unisys have informed me that this problem is corrected in the 32.4 and higher A series TCP/IP product. I'm assuming that an upgrade will correct it |
| Convex OS | All versions | Crash | Patch available! Contact the TAC |
| Solaris (x86) | 2.5, 2.5.1 | Reboot | Patch available. The official patches are #103170-10 for v2.5 and #103631-05 for v2.5.1. |
| Tandem NSK | C30, D20, D42 | Loses TCP/IP | OK, it's not a crash. But (as it has been pointed out to me) if you lose a couple of thousand users who are connected via TCP/IP, that's not safe. For the D20 and C30 machines (I don't know about the D42), sending a ping between 32553 bytes and 32739 bytes kills the TCP/IP process. Pings up to 32759 bytes leave the TCP/IP process running, but unable to function. Greater than 32760 bytes are ignored. Tandem have released some patches, follow the link in column one for more info. Note that patches are not available for all versions. |
| Digital Ultrix for MIPS/VAX | All | Vulnerable | This can be killed by a varient on the Ping O'Death under certain conditions (no, I don't know any more than that - DEC aren't telling). DEC have released patches for versions 4.3 on, details of which can be read on the page linked to in column one |
| Digital UNIX MLS+ | v3.1a and presumably earlier versions too | Vulnerable | See the CERT advisory for details (well, a brief summary) |
| Digital Firewall, AltaVista Firewall for UNIX | ? | Vulnerable | See the CERT advisory |
| Digital VAX/ELN | ? | Vulnerable | See the CERT advisory |
| IBM Secure Network Gateway Firewall | ? | Presumably the same as AIX | See the CERT advisory for details and APAR numbers. |
| Irix | 5.3 | Panic | Patch now available!. Follow the link in column one. This patch also fixes the SYN flood problem. The problem appears to be difficult to reproduce, but if it can be reproduced it will work fairly consistently. |
| Windows NT | 4.0 | Crrrash | Service Pack 2 seems to fix this problem - please let me know if this is not the case. Well, I've been mailed a lovely little batch file by Mark Rejhon that I have been told will crash NT4 fairly reliably. Marks just sent me a new script with better "documentation", and has informed me that the problem appears to be with sending the pings - as is the case with NT 3.51, NT 4.0 seems to be happier on the receiving end of the ping of death. Either way, its a bug, but unless your machine turns suicidal NT owners have less to worry about (it would seem). |
| SCO Openserver | 4.2, 5.0.x and presumably prior versions | Vulnerable | Patch available. The patch can be downloaded here, and a description of the patch is available here |
| DEC TOPS-20, TOPS-10 | All | Errors | These dinosaurs have a memory leak, caused by sending fragmented packets. Do it too often, and something will go. Fred Wright has patches available for both systems |
| Operating system | Version | Symptoms | Comments |
|---|---|---|---|
| NetBSD x86, VAX | 1.1, 1.1a | Mixed reports | One person has managed to crash this, another two have not, and another has not only failed to reproduce this, but has checked the source code and is certain it can't be done! It sounds like the crash was an isolated incident |
| Apple Network Server | ? | Crash | I am unsure of this. I've been told that ANS is based on AIX 4.1.4, which is vulnerable. The AIX patches will stop your machine booting, so don't apply them! There's still no word from Apple on this |
| Operating system | Version Tested |
|---|---|
| Solaris (Sparc) | 2.3, 2.4, 2.5, 2.5.1 |
| MVS Mainframe with TCP/IP stack from Interlink | 3.1, 4.1 |
| MVS Mainframe with TCP/IP stack from IBM | 3.1, 3.2 |
| FreeBSD | 2.0 and above |
| BSDI/OS | 2.01, 2.1 |
| DRS/NX (sparc) | 7MPlus.9.8 |
| DRS/NX (ICL) | 7.7.8 |
| UnixWare | 1.0, 1.1, 2.1 |
| SunOS | 4.1.x |
| Olivetti SVR4 | 2.4.1 |
| NCR Worldmark running MP-RAS SVR4 | 2.02, 2.03, 3.0 |
| DG/UX | 4.11, 5.4 |
| Irix | 6.2 |
| LynxOS | 2.3.0 |
| Windows 3.11 with Novell Client-32 / Cisco TCP/IP / MultiNet / WRQ / NCSA / Pathway / MS TCP-32 stack | ? |
| Windows '95 | ? |
| OS/2 | 2.11, 3, 4 |
| Banyan VINES | 6.30, 7.0 |
| Unisys U2200, U6000 | SVR4 1.4, 1.4.1 |
| OS/400 | V3R1 |
| Novell Netware | 4.1 |
| BeOS DR8 network server | ? |
| Cray C94, M92 | Unicos 9.0.2.0, roo.21 and roo.8 |
| IPR (PC-based router) | 0.954 |
| MS-DOS w/ Clarkson Telnet | ? |
| VM Mainframe | IBM TCP/IP for VM v2.2 |
| Apple A/UX | 3.0.2 |
| Sequent Dynix/ptx | 4.2 |
| Interactive Systems ISC | 3.0 |
| Bell Plan 9 | all, presumably |
| Acorn RISC OS | Internet 4.xx and 5.02 |
| QNX | 4.22 |
| NEC EWS-UX/V | All |
| NEC UP-UX/V | All |
| NEC UX/4800 | All |
| MacOS running Vicom IP software | All |
| System | Version | Symptoms | Comments |
|---|---|---|---|
| Ascend Pipeline 130 Router | 4.6Ci12 | Mixed results | Two people have had no trouble. Another two have caused a reboot. This reportedly crashed while routing packets, not being pinged (pung?) itself!! |
| Ascend Pipeline 50 Router | ? | Reboot | Two people have trouble with this. v4.6Ci17 dies on about the 11th 65510 byte packet. Ascend are unable to reproduce this, and I have had several reports that it's safe, so your mileage may vary |
| HP Laserjet III, IV | ? | Crash | Crashes with "80 Service (01E0)" - It has to be physically turned off and on again. |
| HP Laserjet V | ? | Crashes | An improvement over the Laserjet III - It prints a diagnostic sheet first, then it dies. Note one person with JetDirect firmware version A.04.09 reported only a lockup for 20 seconds or so, not a crash. |
| Sun X Terminals | ? | Panic | A packet of 50000 bytes will set this off |
| NCD X Terminals | 3.3.2, 4.0 | Panic | A packet of 32750 bytes will set this off |
| HDS Viewstations | ? | Crash | No fix yet, although someone can't reproduce with HDS code v3.0.4, and HDSware/Server code v3.0.1 |
| Tektronix X-Terminal | ? | Lapse of reason | Tek have informed me that most versions of their X-Terminals will lock up for 30 seconds or so on reciept of the Ping of Death, but will then come back to life |
| Microcom HDMS chassis with INC | ? | Momentary lapse of reason | Well, not exactly. It stops responding to TCP/IP traffic for 5 minutes or so, and then seems to recover by itself. 5 minutes seems long enough to list it as vulnerable. |
| Livingston ORU ISDN-Ethernet router | 3.4.2Lc1 | Hangs | A disconnect and a reconnect will remedy this |
| Digital PEswitch 900TX | firwmare 1.1.0 | Crash | After 10 or so rapid oversize packets |
| 3Com (aka ChipCom) Oncore Advanced Ethernet Management Modules | firmware 4.20-A | Lapse | Management functions (e.g. OnDemand NCS) were intermittently impacted, but this cleared up after three minutes or so. |
| Shiva Access port | ? | Dies | No more information so far |
| ACC Danube router | v8.0.7 | Reboots | ACC have tested this and found it safe, but at least two people disagree. |
| System | Version | Symptoms | Comments |
|---|---|---|---|
| Netblazer LS 2PT | ? | Reboot | Emergency patch available. Contact telebit for details |
| NetBlazer 40i | 3.2 | Lockup | Locks up completely, have to hard-reset. The latest patch (v3.1 patchlevel 12) fixes the problem. I had an emergency patch available here for download, but this has now been superceded by Telebit's official patch, which you can get through the official channels |
| Bay Networks Access Node Routers | various | Reboots | Bay Networks have fixed this (The reference is Change Request CR24142). The fix can be found in 8.12/rev 14 and 10.01/rev 3. 11.00 also contains the fix. |
| 3Com Netbuilder II router | ? | Reboots | 3Com now have a fixed version of this. The WA v8.3.0.84 and the FF version 9.1.0.24 are safe |
| Alantec Powerhub (router/bridge) | <v7-2.6.3.2 pl 9 | Reboot | When given a broadcast ping of 30000 or greater. I've been told the latest version, version 7-2.6.3.2 pl 9, is immune. |
| System | Version | Symptoms | Comments |
|---|---|---|---|
| Cisco 4000 | ? | Crash | Only two reports on the 4000. One guy had no problems, another has trouble about 70% of the time. The more heavily loaded it is, the higher the chance of a crash. Cisco are sure that the 4000 is OK, which seems reasonable as all their other products hold up well. |
| System | Version |
|---|---|
| Ascend Max 4000 | ? |
| NetBlazer SP | 3.0 patch 9 |
| NetBlazer Classic | 2.3 patch 13 |
| 3Comm Lanplex & accessbuilder | ? |
| 3Comm Linkbuilder FMS/II | Flash 3.11, Prom 1.01 |
| Cisco Terminal Server | ? |
| Xyplex TS/720 | V6.0.1S41, Rom 460003 |
| Cisco 7500, 2501, 2503, AGS+ | ? |
| ELSA LANCOM Multiprotocol router | ? |
| Livingston IRX, Portmaster | ComOS 3.2.1R |
| IBM6611 router | ? |
| Retix 7000 router | ? |
| Shiva FastPath V | KStart code version 9.2 |
| HP J2410 intelli hub | ? |
| Securicor 3Net | model 2431, firmware 7.2.01 |
| Digital DECnis router 600 | 3.1.6 |
| ACC Colorado | 8.3.3 |
| ACC Amazon | 10.0 |
| ACC Tahoe | 7.3 |
| Digital DEClaser 3500, 5100 printer Ethernet card | v01.38, v03.05 |
| Digital DECconcentrator 900MX FDDI concentrator | v3.1.1 |
| Digital RouteAbout EW/MP brouter | v1.1.005 |
| Digital DECbrouter 90 | 10.2(5) |
| Digital DECrepeater 90TM | 2.0.0 |
| Digital DECswitch 900EF | 1.5.2 |
| Digital DECbridge 900MX | 1.5.2 |
| Digital DECserver 300, 700 | V2.2 BL44-3, V1.1 BL44-1 |
| Nexland 10T(12/24) 12/24-port SNMD-managed hub | 1.20 |
| ACS 4105 remote bridge | 2.0 |
| Xerox docuprint 4571 | XNIC ethernet card v4.14, 4.14N3 |
| Wellfleet routers | various |
| Morningstar router | v1.6 |
| Xylogics Terminal Server | ? |
| Borderguard 1000, 2000 and Passport systems | ? |
| Lexmark Optra Laser Printer | ? |
| Chase IOLAN Terminal Server | ? |
| Ascend Pipeline 25 | ? |
| Synoptics (Bay networks) 2813 repeater | v5.1.1 |
| Shiva Access switch | 4.5 |
| Hirschmann Hubs | ? |
| Shiva Lanrover | OS v4.0, VRAM v5.6.0, HW v1.0 |
| AXIS Printservers, CD-Servers and Camera-Servers | All |
| XMiNT Xterminal System | All |